日期:2023-03-26 浏览次数:438 次
在不同的AS之间配置BGP4+实现两个AS网络之间可进行路由交互。
组网需求
如图1所示,在IPv6网络环境中,FW_A为企业的防火墙兼出口网关。FW_A通过运营商网络连接到Internet。企业内网的设备之间运行IBGP协议。
运营商网络内部也为IPv6网络。运营商的边界路由器(Router)已配置BGP功能。
FW_A与Router之间建立EBGP连接。
图1 配置BGP4+基本组网图
项目 |
数据 |
---|---|
FW_A |
接口号:GigabitEthernet 1/0/1 IP地址:10::1/64 安全区域:Untrust |
接口号:GigabitEthernet 1/0/2 IP地址:9:3::1/64 安全区域:Trust |
|
接口号:GigabitEthernet 1/0/3 IP地址:9:1::1/64 安全区域:Trust |
|
FW_B |
接口号:GigabitEthernet 1/0/1 IP地址:9:3::2/64 安全区域:Untrust |
接口号:GigabitEthernet 1/0/3 IP地址:9:2::1/64 安全区域:Trust |
|
FW_C |
接口号:GigabitEthernet 1/0/1 IP地址:9:1::2/64 安全区域:Untrust |
接口号:GigabitEthernet 1/0/3 IP地址:9:2::2/64 安全区域:Trust |
配置思路
采用如下思路配置BGP4+基本功能:
在FW_A、FW_B、FW_C之间配置IBGP连接。
在Router和FW_A之间配置EBGP连接。
操作步骤
# 配置FW_A。
<FW> system-view [FW] sysname FW_A [FW_A] ipv6 [FW_A] interface GigabitEthernet1/0/1 [FW_A-GigabitEthernet1/0/1] ipv6 enable [FW_A-GigabitEthernet1/0/1] ipv6 address 10::1 64 [FW_A-GigabitEthernet1/0/1] quit [FW_A] interface GigabitEthernet1/0/2 [FW_A-GigabitEthernet1/0/2] ipv6 enable [FW_A-GigabitEthernet1/0/2] ipv6 address 9:3::1 64 [FW_A-GigabitEthernet1/0/2] quit [FW_A] interface GigabitEthernet1/0/3 [FW_A-GigabitEthernet1/0/3] ipv6 enable [FW_A-GigabitEthernet1/0/3] ipv6 address 9:1::1 64 [FW_A-GigabitEthernet1/0/3] quit
# 配置FW_B。
<FW> system-view [FW] sysname FW_B [FW_B] ipv6 [FW_B] interface GigabitEthernet1/0/1 [FW_B-GigabitEthernet1/0/1] ipv6 enable [FW_B-GigabitEthernet1/0/1] ipv6 address 9:3::2 64 [FW_B-GigabitEthernet1/0/1] quit [FW_B] interface GigabitEthernet1/0/3 [FW_B-GigabitEthernet1/0/3] ipv6 enable [FW_B-GigabitEthernet1/0/3] ipv6 address 9:2::1 64 [FW_B-GigabitEthernet1/0/3] quit
# 配置FW_C。
<FW> system-view [FW] sysname FW_C [FW_C] ipv6 [FW_C] interface GigabitEthernet1/0/1 [FW_C-GigabitEthernet1/0/1] ipv6 enable [FW_C-GigabitEthernet1/0/1] ipv6 address 9:1::2 64 [FW_C-GigabitEthernet1/0/1] quit [FW_C] interface GigabitEthernet1/0/3 [FW_C-GigabitEthernet1/0/3] ipv6 enable [FW_C-GigabitEthernet1/0/3] ipv6 address 9:2::2 64 [FW_C-GigabitEthernet1/0/3] quit
# 配置FW_A。
[FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet1/0/2 [FW_A-zone-trust] add interface GigabitEthernet1/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet1/0/1 [FW_A-zone-untrust] quit
# 配置FW_B。
[FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet1/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet1/0/1 [FW_B-zone-untrust] quit
# 配置FW_C。
[FW_C] firewall zone trust [FW_C-zone-trust] add interface GigabitEthernet1/0/3 [FW_C-zone-trust] quit [FW_C] firewall zone untrust [FW_C-zone-untrust] add interface GigabitEthernet1/0/1 [FW_C-zone-untrust] quit
此处只给出了完成本举例所需的安全策略的基本参数,具体使用时,请根据实际情况设置安全策略中的其他参数。
# 开启从Trust到Untrust、从Local到Untrust和从Untrust到Local安全区域的域间策略,保证报文能够正常发送。
[FW_A] security-policy [FW_A-policy-security] rule name policy_sec_1 [FW_A-policy-security-rule-policy_sec_1] source-zone trust [FW_A-policy-security-rule-policy_sec_1] destination-zone untrust [FW_A-policy-security-rule-policy_sec_1] action permit [FW_A-policy-security-rule-policy_sec_1] quit [FW_A-policy-security] rule name policy_sec_2 [FW_A-policy-security-rule-policy_sec_2] source-zone local untrust [FW_A-policy-security-rule-policy_sec_2] destination-zone local untrust [FW_A-policy-security-rule-policy_sec_2] action permit [FW_A-policy-security-rule-policy_sec_2] quit [FW_A-policy-security] quit
# 配置FW_A。
[FW_A] ipv6 [FW_A] bgp 10 [FW_A-bgp] router-id 2.2.2.2 [FW_A-bgp] peer 9:1::2 as-number 10 [FW_A-bgp] peer 9:3::2 as-number 10 [FW_A-bgp] ipv6-family [FW_A-bgp-af-ipv6] peer 9:1::2 enable [FW_A-bgp-af-ipv6] peer 9:3::2 enable [FW_A-bgp-af-ipv6] network 9:1:: 64 [FW_A-bgp-af-ipv6] network 9:3:: 64
# 配置FW_B。
[FW_B] ipv6 [FW_B] bgp 10 [FW_B-bgp] router-id 3.3.3.3 [FW_B-bgp] peer 9:3::1 as-number 10 [FW_B-bgp] peer 9:2::2 as-number 10 [FW_B-bgp] ipv6-family [FW_B-bgp-af-ipv6] peer 9:3::1 enable [FW_B-bgp-af-ipv6] peer 9:2::2 enable [FW_B-bgp-af-ipv6] network 9:3:: 64 [FW_B-bgp-af-ipv6] network 9:2:: 64
# 配置FW_C。
[FW_C] ipv6 [FW_C] bgp 10 [FW_C-bgp] router-id 4.4.4.4 [FW_C-bgp] peer 9:1::1 as-number 10 [FW_C-bgp] peer 9:2::1 as-number 10 [FW_C-bgp] ipv6-family [FW_C-bgp-af-ipv6] peer 9:1::1 enable [FW_C-bgp-af-ipv6] peer 9:2::1 enable [FW_C-bgp-af-ipv6] network 9:2:: 64 [FW_C-bgp-af-ipv6] network 9:1:: 64
[FW_A] bgp 10 [FW_A-bgp] peer 10::2 as-number 20 [FW_A-bgp] ipv6-family [FW_A-bgp-af-ipv6] peer 10::2 enable [FW_A-bgp-af-ipv6] network 10:: 64
结果验证
查看BGP4+对等体的连接状态,以FW_A为例。
出现以下显示说明FW_A到FW_B、FW_C以及Router的BGP4+连接均已建立。
[FW_A] display bgp ipv6 peer BGP local router ID : 2.2.2.2 Local AS number : 10 Total number of peers : 3 Peers in established state : 3 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 9:1::2 4 10 8 9 0 00:05:37 Established 0 9:3::2 4 10 2 2 0 00:00:09 Established 0 10::2 4 20 9 7 0 00:05:38 Established 0
配置脚本
FW_A的配置脚本
# sysname FW_A # ipv6 # interface GigabitEthernet 1/0/1 ipv6 enable ipv6 address 10::1/64 # interface GigabitEthernet 1/0/2 ipv6 enable ipv6 address 9:3::1/64 # interface GigabitEthernet 1/0/3 ipv6 enable ipv6 address 9:1::1/64 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/2 add interface GigabitEthernet 1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/1 # bgp 10 router-id 2.2.2.2 peer 9:1::2 as-number 10 peer 9:3::2 as-number 10 peer 10::2 as-number 20 ipv4-family undo synchronization # ipv6-family network 9:1:: 64 network 9:3:: 64 network 10:: 64 peer 9:1::2 enable peer 9:3::2 enable peer 10::2 enable # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit
FW_B的配置脚本
# sysname FW_B # ipv6 # interface GigabitEthernet 1/0/1 ipv6 enable ipv6 address 9:3::2/64 # interface GigabitEthernet 1/0/3 ipv6 enable ipv6 address 9:2::1/64 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/1 # bgp 10 router-id 3.3.3.3 peer 9:2::2 as-number 10 peer 9:3::1 as-number 10 # ipv4-family undo synchronization # ipv6-family network 9:2:: 64 network 9:3:: 64 peer 9:2::2 enable peer 9:3::1 enable # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit
FW_C的配置脚本
# sysname FW_C # ipv6 # interface GigabitEthernet 1/0/1 ipv6 enable ipv6 address 9:1::2/64 # interface GigabitEthernet 1/0/3 ipv6 enable ipv6 address 9:2::2/64 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/1 # bgp 10 router-id 4.4.4.4 peer 9:1::1 as-number 10 peer 9:2::1 as-number 10 # ipv4-family undo synchronization # ipv6-family network 9:1:: 64 network 9:2:: 64 peer 9:1::1 enable peer 9:2::1 enable # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit